The present invention relates to network security, and more specifically, to forwarding a packet by a Network Virtualization Edge (NVE) in Network Virtualization Overlays, Layer 3 (NVO3).
With the development of cloud computing technology, virtualization has been evolved from traditional virtualization of computing resources to virtualization of all IT resources such as computing, storage, and network. A user may conveniently rent IT resources from a cloud computing data center, rather than directly purchase a physical server. By manner of such renting, a tenant may deploy computing resources as needed, reduce total cost of ownership while abstracting hardware resources into logical, uniform software virtual resources, which may also significantly reduce deployment time of IT resources, accelerate deployment of applications and quickly respond to user needs.
From perspective of network, multi-tenant technology has following requirements on network virtualization: each tenant owns an independent IP address space, and the tenant can freely plan his rented network; data between the tenants are isolated from each other; virtual computing resources of the tenant can be arbitrarily placed at where he desires, without being limited by locations of physical network resources. Network Virtualization Overlays, Layer 3, proposed by NVO3 work group of Internet Engineering Task Force (IETF), can completely meet these requirements, and has been a mainstream technology for multi-tenant network virtualization.
In a network, security is always an important issue. Whereby, one security problem is Distributed Denial of Service (DDoS) attack, and its basic principle is that an attacker sends a large number of service requests to a victim, thereby occupying a large amount of service resources, thus causing a legal user cannot get served. The DDoS attacker usually will impersonate other legal user to launch DDoS attack, so as to evade security check and source tracking, that is, a source IP in a data packet sent by the attacker is a fake IP (the source address does not exist or belongs to other virtual machine or host).
In a NOV3 network, DDoS attack also exists.